Vidar

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This upgraded version of Arkei stealer has been terrorizing the internet since 2018.

Type
Trojan
Origin
ex-USSR
First seen
1 December, 2018
Last seen
16 April, 2021
Also known as
Arkei
Global rank
20
Week rank
21
Month rank
19
IOCs
6840

What is Vidar / Arkei malware?

Vidar is an information stealer Trojan that was first identified in December 2018. It is either a fork of Arkei or the result of its evolution. Named after the god of vengeance from Scandinavian mythology, Vidar is used to steal information from infected machines, take screenshots, steal cryptocurrency and more.

General description of Vidar

Vidar is presumed to have originated in a Russian speaking country since the malware is configured to stop execution if it detects that it is being run on a machine that is located in one of the ex-USSR nations or on one that has a Russian keyboard layout.

Being another malware that is available for purchase based on the MaaS ( Malware-as-a-Service ) business model, Vidar can be purchased on its “official” website for a hefty price tag of $700, at least for the PRO version. Though, a stripped-down version of the malware can be obtained for just $250.

Vidar is written in C++ programming language. Purchasing account grants the attacker access to a control panel where the malware can be set up by the cybercriminal to target particular information on the victims’ PC. Similarly to Arkei, Cybercriminals need to take precautions to secure the main payload themselves, using a cryptor or a packer. The control panel displays the current builder version, user settings, malware status, and logs. It should be noted that domain names which Vidar uses to search for C&C servers, where stolen data is being dropped to, change every four days.

Vidar is capable of stealing text files in multiple formats, browser cookies and history, browser records, including data from TOR, as well as autofill value information including banking and credit card details. In addition, the malware can search for cryptocurrency wallet information, take screenshots and record private messages from various software.

What’s more, Vidar is also known to be able to steal digital coins from offline wallets. In fact, holders of Litecoin, Bitcoin, Ethereum, Zcash, and DashCore are in potential danger, as these are the cryptocurrencies currently supported by the malware.

After collecting all targeted information, the malware archives it and sends the stolen data to a control server, after which Vidar removes traces of its work and deletes itself from the system.

Vidar malware analysis

A video recorded in ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of Vidar.

arkei execution process graph

Figure 1: A visual process graph generated by ANY.RUN

text report of the arkei malware analysis

Figure 2: The customizable text report provided by ANY.RUN is a perfect tool to share the results of an analysis

Vidar execution process

After the user downloads and runs a malicious file it spawns a child process and starts to collect information from the infected device. Often, after the information was collected the malware kills and deletes itself through a command-line command.

How to avoid infection by Vidar?

When spread via spam email campaigns, Vidar stealer requires the user to download and run a malicious file in order to enter an active state and begin execution. Therefore, following some basic online safety rules can ensure that users will stay safe from this malware.

As such, users should be careful when downloading attachments in emails from unknown senders. The best practice is to avoid downloading such files altogether, therefore not putting oneself in danger at all.

In addition, downloading only licensed software from trustworthy sources and avoiding gaming hacking clients greatly reduced the risk of being infected with malware such as Vidar which uses these attack vectors to infect victims.

The distribution process of Vidar

Like other malware, Vidar / Arkei is distributed through spam email campaigns as a malicious attachment. In addition, cases of Vidar being distributed using shady software and gaming hack clients have also been recorded. Vidar targets users all over the world with the exception of some ex-USSR countries, including Russia.

How to detect Vidar / Arkei using ANY.RUN?

Some malware creates files in which it named itself. You can find such info about Arkei trojan using ANY.RUN's "Static Discovering". Open either "Files" tab in the lower part of the task's window or click on the process and then on the button "More Info" in the appeared window. After that, all you need to do is just click on the file.

arkei vidar log file Figure 3: Arkei's log file

Conclusion

Vidar / Arkei is a highly dangerous information stealer trojan, distributed as malware as a service. Thanks to its extensive stealer feature set, Vidar trojan can be used to retrieve a wide variety of information, including steal select cryptocurrency coins from the users. Additionally, Vidar is capable of stealing data from TOR.

Thankfully, malware hunting services like ANY.RUN allows researchers to conduct extensive studies of malware samples in a secure environment, allowing them to spread information about the danger and develop effective countermeasures.

IOCs

IP addresses
88.99.66.31
208.95.112.1
198.98.55.103
204.11.56.48
188.241.39.10
5.79.66.145
78.46.193.55
45.85.90.86
141.8.192.151
104.168.138.96
92.119.113.254
199.59.242.150
208.95.112.1
157.90.153.134
156.38.171.144
162.241.244.25
169.239.129.117
31.170.160.127
89.45.67.160
194.67.86.170
Hashes
c3d91ff0dc6cf659be30eab0fdd770ad7841409ea30e79845e296ee7b80c1880
37520c83bbc43982f82cb6ed0cb1d46d1a63c892dd469e5db358a54f6f8b712b
5d83412d701bac00051ce917c0b3849b89f6d1a045a9757b24e479bf609f8119
b2a66114f2afb03bd4087e7fc37d6c89ff7f3d3bd48d751dc9334a5a746f7c37
db23d6f5e2123cde47f4e3178bf18063aa3270d13499991200c9074a837eff07
18cfa8c68fe25199694faf0d2e9fe0fe86e872b1c20620098a68309ade161000
3e07381edf1c964ef4657261d7533802762b91a92e1a89ee73a6fa028079252b
e0b3af51fc4a315a865c8414c93488c4095e1c3883e539f75ea011f3a63c52ea
0ae02edbc714dfd70bc71151c585d12d35b407c831ea5c9abf5c32376ce14a45
254c13fb1111b9b3b19957b5cd7f1d28db878e2f6f58a5b9b0427f6ed27eba05
eda82965d55b9f6d8b433451b37938b408f5ef20e155005dec4f3463f232ea6d
847b98849e08442b19c4ec8f1ca5d9ed182ffaa3452e1b0dae195e5fefc2750a
b8694a862e4f4dc187f991ac30ee290cb4c4d73cfdbb137e8e24e7860ebcfbed
9dbdfcb4749e6e441ca65cf71d75944cf90111832d10b8048b70cfe084b6e675
4c51644b84734a8b3db0c76bc0711ee0a54182546bcde120474f83d6af8f4be5
b4d4c7f27ca444475929b7cab26f7300d8131667e7707d7748400973956cfdfb
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
c0ff93ef4930a7dc2d95a6ee490fecdddcbe946e479b1d4fdb47285245b28675
00b09aba4c90b634ce887da826fc74284f171698c203dcfd7da3e8b529ac6db1
dec17ebea2f39f6ed153cd101ad55aa497e473c2c881aa5b46c8bd679fe351e1
Domains
intohave.com
tangotangocash.com
yip.su
grab-indonesia.com
boatshowradio.com
majul.com
static.accelerator-introlab.ml
upload.krishgarden.com
booking.msg.bluhotels.com
booking.msg.bluhotels.com
mail.valoracap.com
www.searzarinfo.com
www.02ip.ru
youtubedow4k.xyz
www.2no.co
shop.iplogger.ru
shop.iplogger.org
www.iplogger.org
iplogger.ru
maper.info

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More